India needs a proper privacy law

September 29, 2009 14:37 IST

The Kargil review committee went into the failure to share intelligence, seen as one of the causes of the Kashmir war, and recommended corrective action. The government then decided to set up a Multi-Agency Centre to coordinate and share intelligence available with the different agencies, including the Intelligence Bureau, the Research and Analysis Wing and Military Intelligence.

It was also decided that a National Intelligence Grid would be set up at a subsequent stage. Nothing happened for many years, until the Mumbai attack of last year, which was seen as having resulted from yet another failure of intelligence coordination. A new home minister took charge, and soon there was action.

The Mac was set up within weeks, and Mr Chidambaram chaired its first meeting in January. Nig was then promised as State II, and it has now been disclosed that this will involve the sharing of information (not just intelligence) by 11 agencies which run 20 different databases, ranging from income tax returns to bank accounts, and from telephone records to internet search histories.

The databases will remain in separate silos, but information from these databases can and will be shared. Along the way was born the Unique Identity project, headed by Nandan Nilekani, which could result in biometric cards.

Everyone will welcome the sharing of intelligence, and such initiatives as Mr Chidambaram's move to network the country's 16,000 police stations so that information can be exchanged by them real-time. India has suffered for far too long from an uncoordinated, turf-driven system of gathering and using intelligence, and from managing information as though the information technology revolution never happened.

However, it also goes without saying that the moves to modernise these systems and network them raise serious questions relating to privacy, data security and identity theft.

India does not have a proper privacy law. The right to privacy is not explicitly recognised in the Constitution, and is only seen to be derived from the right to life and liberty.

The laws that do exist relate to the privacy of data held by public financial bodies (like banks) and cyber-data (the Information Technology Act of 2002). The privacy of personal communication, including telephone calls, is protected under the Telegraph Act of 1885, but has been frequently violated by the intelligence agencies, leading to Supreme Court strictures and directives in 1996.

This situation is completely unsatisfactory when a massive amount of extremely personal and private information is to be made available to a much broader group of people than has been the case so far, and when a biometric card system might result from the Unique Identification project.

A proper law guaranteeing privacy is therefore an urgent and vital matter that needs the government's immediate attention, and should incorporate careful safeguards against the misuse of information, and stringent punishment for cases where there is misuse.

Equally, the danger of centralising access to information is that you present a more attractive target to hackers. The security of various databases and communication networks therefore becomes a matter of vital concern, not just to government intelligence agencies but to every private citizen.

Identity theft is a growth industry in many countries, and the last thing anyone would want is for it to materialise in India. Finally, while mandating the sharing of intelligence is fine, how will the government ensure that intelligence is in fact shared, and used effectively (it might be worth checking how effectively the tax information network is being used by the revenue department)?